1

HIPAA Security OverviewCenters for Medicare & Medicaid Services (CMS)

2

Agenda Role of CMS Security Rule Overview CMS’ HIPAA Security Strategy Providence Resolution Agreement Summary & Conclusion Q&A

3

Role of CMS CMS has delegated authority to enforce the non-privacy

provisions of the HIPAA regulations: Transactions and Code Sets Identifiers (NPI, EIN) Security

CMS is responsible for HIPAA enforcement as well as: Regulatory/Policy Interpretation Outreach and Education

Guidance and FAQs New Regulations (including other ehealth related issues

e.g. eRx)

4

Security Rule Overview Applies to Electronic Protected Health Information (EPHI)

that a covered entity creates, receives, maintains, or transmits

Scalability/Flexibility Based on organization size, complexity, technical

capabilities and infrastructure, cost of security measures and potential security risks

Technologically Neutral Describes “what” needs to be done vs. “how” it is to be

done Standards are required but the implementation specifications

may be either required or addressable

5

CMS’ HIPAA Security Strategy

CMS takes a three-prong approach to HIPAA Security. The three prongs are:

Outreach & Education Enforcement Compliance Reviews

6

Outreach and Education Efforts Federal and Non-Federal Collaboration Develop/Disseminate Educational & Guidance Materials

Security Papers

1. Administrative, Physical and Technical Safeguards

2. Basics of Risk Analysis and Risk Management3. Implementation for the Small Provider

Frequently Asked Questions Security Compliance Review Checklist Remote Use and Access Guidance

The materials can be found on the CMS Website at: http://www.cms.hhs.gov (under the link for Regulations and Guidance).

7

Outreach & Education - Remote Use & Access Guidance Rationale Increased risk to protected health information

Associated with increased remote access to EPHI Increase in workforce mobility Increase in use of portable media storage devices

Recent security related incidents

Reported loss or theft of devices containing EPHI Reported access to health information by

unauthorized users

8

Published December 28, 2006 Reiterates requirements of the HIPAA Security Rule Identifies strategies consistent with organizational

capabilities (Scalable and Flexible) Pertains to Access, Storage and Transmission of EPHI Three categories of action highlighted:

1. Conducting Security Risk Assessment

2. Developing and Implementing Policies and Procedures

3. Implementing Mitigation Strategies

Outreach & Education - Highlights of Remote Access Guidance

9

HIPAA Security Enforcement – Current Process Review complaint to determine validity and scope Notify “Filed Against Entity” (FAE) of complaint Request specific documents from the FAE Assess documents to determine if they:

1. Demonstrate compliance 2. Demonstrate the need for a Corrective Action Plan (CAP)

Monitor CAPs to completion Close complaint upon demonstration of compliance Issue closure correspondence to all parties

10

HIPAA Security Enforcement – Overlapping Complaints

CMS and the Office for Civil Rights (OCR) collaborate on cases that overlap the Security and Privacy Rules

Approximately 70% of the CMS Security cases are referrals from OCR

Majority of Security complaints – allegation of inappropriate access and risk of inappropriate disclosure

11

HIPAA Security Enforcement - Complaint Categories Unauthorized access to EPHI

Employees or relatives accessing EPHI Loss or theft of devices containing EPHI

Small volume of complaints; large volume of records Insufficient access controls for systems containing EPHI

Shared passwords Encryption

CMS has received 350 Security Rule complaints 102 cases are open 248 case have been resolved

12

Onsite HIPAA Security Compliance Reviews Contracted with Price Waterhouse Coopers (PwC)

for 10 reviews in 2008 Reviews place emphasis on remote use and access

issues CMS publishes de-identified post-review

information Initial target:

Entities against whom a complaint has been filed and Reported risk to security of large volume of records

The compliance reviews will be used as a tool to achieve voluntary compliance

13

Compliance reviews have revealed several key areas of vulnerability to include:

1. Lack of encryption for portable devices and media

2. Lack of verification of role-based access privileges Reviews have resulted in CAPs that include:

1. Policies and procedures for remote use/access

2. Designation of internal security audit personnel Compliance review cases are generally closed when

CMS verifies completion of CAP

Onsite HIPAA Security Compliance Reviews - Continued

14

OIG Security Audit Initiative

Objective is to determine if certain covered entities have implemented measures in accordance with provisions of the HIPAA Security Rule

The recent OIG review of Piedmont Hospital highlighted issues related to:

Technical safeguard vulnerabilities for wireless communications

Vulnerabilities involving physical access to electronic information systems and the facilities

Administrative safeguard vulnerability related to business associate contracts

15

Providence Resolution Agreement – What Does it Mean? Background:

Case involved 386,000 unencrypted patient records $100,000 resolution amount paid to HHS 3 year corrective action monitoring

Significance: Landmark case – First resulting in monetary fine Sets the stage for similar action for similar cases Represents the evolution of CMS’ enforcement

efforts

16

Summary & Conclusion Security provides opportunity and obligation CMS’ three-pronged approach:

Outreach and Education Enforcement Compliance Review

Consequences of non-compliance: Loss of resources Loss of time Loss of TRUST

17

Discussion and Questions